Firefox knows what your friends did last summer

Update…

Mozilla have now fixed the problem on Thursday. Not only did they take down the original release but fixed it very quickly within two days which is very impressive. Good work!

I was writing some JavaScript and found that the following happens:

/undefined/.test(undefined)//true

The undefined value is converted to a string and then the test returns true. It surprised me but wasn’t totally unexpected but then I thought if a string conversion is being done inside the native function then perhaps we can abuse that? Oh yes we can I thought how about we apply this to a x-domain protected object. E.g. location of an external iframe. /businessinfo\.co\.uk/.test(document.getElementById(‘x’).contentWindow.location) worked! But wait if a test works then so could exec and we can get the location from a x-domain. /(.+)/.exec(loc); also works since the x-domain object is being converted to a string in the exec function too.

First thing I thought was I can use twitter to identify the user but how? /home doesn’t return a unique url, I was searching through twitter to see what urls redirected to a unique url when I found /lists which redirects to twitter.com/uid/lists perfect.

Here’s how the PoC works. You need to be signed into twitter using https. The PoC then opens a new window to the /lists url on twitter. Waits 5 seconds, then calls a regex on the x-domain object to reveal the twitter username.

LOL I’ve exploited you all mentally. You cannot understand why I didn’t take the cash. You then say it’s for publicity LOL because it hurts your logic circuits. Listen I love bugs, so did everyone else now most of you love your bounty.